fix xss in dictionary, ip, and stackexchange

meow
This commit is contained in:
mat 2024-03-17 22:16:21 -05:00
parent ffad6869c9
commit 281b2db2f2
4 changed files with 14 additions and 2 deletions

View File

@ -73,6 +73,7 @@ pub fn parse_response(HttpResponse { res, body }: &HttpResponse) -> eyre::Result
html.push_str(&format!(
"<h2 class=\"answer-dictionary-word\"><a href=\"https://en.wiktionary.org/wiki/{mediawiki_key}\">{word}</a></h2>",
mediawiki_key = html_escape::encode_text(mediawiki_key),
word = html_escape::encode_text(&word),
));

View File

@ -9,5 +9,8 @@ pub fn request(query: &SearchQuery) -> EngineResponse {
let ip = &query.ip;
EngineResponse::answer_html(format!(r#"<h3><b>{ip}</b></h3>"#))
EngineResponse::answer_html(format!(
r#"<h3><b>{ip}</b></h3>"#,
ip = html_escape::encode_text(ip)
))
}

View File

@ -12,7 +12,10 @@ pub fn request(query: &SearchQuery) -> EngineResponse {
let user_agent = query.request_headers.get("user-agent");
EngineResponse::answer_html(if let Some(user_agent) = user_agent {
format!("<h3><b>{user_agent}</b></h3>")
format!(
"<h3><b>{user_agent}</b></h3>",
user_agent = html_escape::encode_text(user_agent)
)
} else {
"You don't have a user agent".to_string()
})

View File

@ -48,6 +48,11 @@ pub fn parse_response(body: &str) -> Option<String> {
.html()
.to_string();
let answer_html = ammonia::Builder::default()
.url_relative(ammonia::UrlRelative::RewriteWithBase(url.clone()))
.clean(&answer_html)
.to_string();
let url = format!("{url}#{answer_id}");
Some(format!(